Analysis Date2014-12-23 05:31:43
MD51417ac8ea04341421a2aa05654b99384
SHA1585d35655bda4becc6ada47b9c08a0b68171135f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 90cee498525c8959d338e1873dad9818 sha1: bfde39784fd93a46347eca0fcb3f83b372991506 size: 9216
Section.data md5: fa76b4d8f5f98240d5c0c07ce372242d sha1: 73d0478224187aca34a931f9f7aa32e12015a787 size: 13312
Section.bss md5: 742f3a5f230ed98c5f3dee6ae27e7254 sha1: 8e6e2efafceb7fa295bdde71c819ed2e5381c0e3 size: 188416
Section.idata md5: 4f24c793b610fd04de65c2e01f9c4f49 sha1: 4a95fb15424c6c4a58f8c4d9857f35ba8332b737 size: 3072
Section.rsrc md5: 97c1ac43e94a6f7c8e2e5eb21e93eda0 sha1: 98edcfcabf5ca23ccf9376357731783e1cae0fee size: 4096
Timestamp2009-04-08 17:13:31
VersionLegalCopyright: Copyright © 2010 H PC Tools. All rights reserved. Jv
InternalName: dmagsQh.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: 3C MW
ProductVersion: 7.0.0.61
FileDescription: MYVideo Component
OriginalFilename: dmagsQh.exe
PEhash3b17e6d1a89e42963c193c61035a6f1193b069a8
IMPhash77e796cc53c2e9de752393b59f5fa574
AV360 SafeGen:Variant.Kazy.20920
AVAd-AwareGen:Variant.Kazy.20920
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.20920
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Variant.Kazy.20920
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Downloader-31267
AVDr. WebTrojan.Inject.34178
AVEmsisoftGen:Variant.Kazy.20920
AVEset (nod32)Win32/Kryptik.AJNC
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20920
AVGrisoft (avg)Generic22.WHU
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Riskware ( 0015e4f01 )
AVKasperskyTrojan.Win32.Diple.neb
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20920
AVRisingTrojan.Win32.Generic.1286766F
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Malware-Cryptor.Win32.0074

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs ➝
NULL
Creates FileC:\WINDOWS\system32\sshnas21.dll
Creates Processrundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle
Creates ServiceSSHNAS - %SystemRoot%\system32\svchost.exe -k netsvcs

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1852

Process
↳ Pid 1132

Process
↳ rundll32.exe C:\WINDOWS\system32\sshnas21.dll,GetHandle

Creates MutexGlobal\{02ACCAA4-D375-440f-9261-58B7221B7317}

Network Details:

DNSlivedoor.com
Type: A
125.6.149.67
DNSyieldmanager.com
Type: A
208.67.66.24

Raw Pcap

Strings
B.....
8c.ccJ....
K.
..q
?
.
...+.
C
Q
8
M
s
S
i....
...
040904E4
 2010 H PC Tools.  All rights reserved. Jv
3C MW
7.0.0.61
8OmB
9ixoS
&About
BBABORT
BBALL
BBCANCEL
C5xM
Comments
CompanyName
Copyright 
dmagsQh.exe
E&xit
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
MYVideo Component
&Open
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
ytBcA
^04BC;
0&4p8[<O
_|0B9A A
%0&dl`mB5
 <0<@<P<dEt
0Pni4C
<0`{S@
,`0S4IS
0sGcysC
+0\TB`
0x6y<~B
0ZHxKZ
"><1+1sG
19&vyegW
1[9$y(
1C*A9K 
1k(yh_
1O$basi
1O:MQ?
(>"2EwW
2;jYt@
]2MG,Q
2NLQlN5ztk
&/2sP|
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
:388>K<a<t<
3B""$33333
3b;kE;
3Gnd9n
3PCYNkAf
;]~3QM
3]%^QS
3U+EtR
3xAFrameH
40Re3v;9
453!Z0
4!:,87
4,:;8E>T<c<q<
4]#[AYPW
4"*""C3338
4D`@~U
5|;}A}F}\}z}
<*`5A GfdM
5BPI`]1
5FgOE m
5fuivb
>5J^.6C
5MBlU	EFA
5mKfh;
5]vBkE%
6\543L10
69P|M3C
6A W(6
+6D3[C-
6fwcZYN
6gg9ppF3
~&6HkW
[6iKbr
6IzL]rb
6R(Vi^`j
72T_QC
7;5>Z@
78C9)}
7E1wBg@
7PCw`4
7S26WB
7tdjpD
 7U[2B
7YEpW{U
8AUTwuHX
8b9~a-<
@\8{C$|Et-E
8CzWzD
:8D>I<i<z<
@8D>V<[<a<k<q=w<
8E NdVn
8FLh$k`
:*8jCQ
8'_N(6
8n@hYLRzZ
8Q>Y<^
90]4xQ
90vU O
,	<9C'D
_9pkJH@4
]9<pZ"
9	UcMh
9uiS=B
9VNCPS`
9Z"jP;L
'&%$#"A! 
)A0>PO8&
A2d#o+6bB7
]!A2iv
A3E@r12rWLC19
A4:eyK
'-A`)>6
%A 6`>
aD^SQe
AE=e+a`D4
A>fT5U
}[}a}i}r}w}|}
akb|MHEGXT,%#
a=&-MkQd}\
ANiC&;$
  </application> 
  <application> 
A.rdat
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
AS /-+W<BL
%au'|-
Auf"dNQ
'aWi7r
AYrC[a
`b{0}H
B`4YVg
b5]?&vC
B6o+xf31*A
@bAAfq6
BfKMC;{
b{H76	
B-lom]
BoApInfoEdKERNsL32d
Bq$p4j7y
|bQzWykaR
@<B<R<\<b<h<n=u<
bT9yKmJG81BDa
BZQ6uX
C#@< $
(;'?C0
c)$25~
#c26mY4043qLTXjoCkOWD
C2Q2VRAL92XgjRb
"C3338
C4&3=2
c}4 9h
c5"{Nj3z
"C8338
_Cb8 ^
`;CCb,
C] :d"`
CEWSqI]
,CfQ(K
CfX&W96
CG987654
CharLowerA
CharNextW
CharUpperA
CharUpperBuffA
^}c}i}o}u}{|
_Ckq9+
ClientToScreen
CloseHandle
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
`CQeRJm
CreatePopupMenu
CreateThread
CreateWindowExA
$$C[SnCWindowT
C	TtP:
CUNIQSxTR
cvTpSD@12
cxaEx^K
;]"[C)Y5W?UEs8
czN/z#
D2B|"]
d4lS2_
(D6Bro_jR4f?9$C
D6ujUW
=D7h<^j'r
?>=<;d:9"
D9+FO]
D=a!i;
`.data
DBG%AKODR>
"dBitm
DC$/5BQ7
DcNE&s
DefFrameProcA
dKnO"7
dkwK07
DlCaW7iK
@dL`fu
D=l%~G(
+d?lrm
dmagsQh.exe
	dmWAZ
dN8IHhw
`&dph[lNp
dqAme-r]
d	Q>?PAA=
dqvB(h
DrawMenuBar
D\.uh@
&\DUJNRG}@
DURP4LJ
dv>\E@
dVHR\Xcp\F
,DVT40
dy%zSZ^JG'4QD
&E0SQzjr
e2ARyqNMF
e[3.EYv#
e)<<40:6@
E5-eA M
E&(9wu
E>a1;Q
?Ea7y9N>2
ECLMxOXwpDR
	eIj?@>
^eIn"8
	#ej./
<Ej3%O
ejyUDr0@24
E'LM"$V
_E~<m`
E~ mB"
EmptyClipboard
EnableScrollBar
EndDialog
EndPaint
eN@!QJ
EnumChildWindows
e#;QI_
eTAoAW
eUBGPhw
ExitProcess
$f ~@]-
F}?0VM
&f#5De
*f5n'Q
FaRLhG
f;#Cd&c
^f%ESUw
- f&hA
>]'fK8
fL'>Nu
F|L}R}X}^}d}j}p}v}|}
fPm5Y\f
fQe<A@
{FQK}Ya
[!fsFMbL
F!Sk@$
*fv%i 
fv+ox]wj
fVrMz+
!FW;0|
fW6eE4
Fwa}OH
FX_@g9MKb
(FxX15
Fz6h1V28'
g21j4a
g2Cb<~
*g3Q3M
g6+"'y
GetClassInfoA
GetDesktopWindow
GetFileAttributesA
GetFileSize
GetFocus
GetForegroundWindow
GetKeyboardState
GetKeyNameTextA
GetKeyState
GetLastError
GetLocaleInfoA
GetMenu
GetMenuItemID
GetMenuState
GetParent
GetScrollInfo
GetScrollRange
GetSysColor
GetSysColorBrush
GetSystemMenu
GetSystemMetrics
GetTickCount
GetTopWindow
GetUserDefaultLCID
GetWindowDC
GetWindowLongA
GetWindowLongW
G&e!YW
Gizeof$
Gj~2r w;fh
/G"JTc
GlobalDeleteAtom
GqI"&l
G_+QkAv}
G~QM]!
g\UTXF-8`
GW68x74R
|Gw9NU
GXUNOC
"Gzs8meu
H|[7CO/
H?&A8+
hajw ~`
hb>Se_
h?+C	'
h@cCM"K;
HeapDestroy
hHkyt4Bl
<)_%hi
HkDCqqXH6DDThRON
Hk>fJ	
hK_uAV!
H|N}T}Z}`}f}l}r}x}~}
]H&Tt[pM
H&VAXh
hVCY?3
H%zAmKLp
h,zens>
-,+^*)(I
'-I+}1J~
i1;r2s/
I]cxHC
@.idata
idy:#vX	C%
IGmZ}<
 ij}8a
ILmWPaAzEK
iM1$;F5
^I]MLph
IN1c^T
InmbW_
)Ioctl7m
iPt!~u/
"I\q$5=C
i ),`.rEdat
IsCharLowerA
IsDialogMessageW
IsIconic
IsMenu
IsValid
IsWindowVisible
=ItX.e
IY+Z>Aw
^IZsRZy
J2ZxrqL4l
"J333333
j\[3{l
jAmzCw
"J"C3333
JEW7O1p@eWgo
=J_)G9
J"gC@DU
ji]	!g
]J&P<fR
jQ>I:$	@
;;@JRA
jrS	`x
]JT*f_
jU+20_t>@C
Jxn_au8uaf
k1a"_jJ
KaA)z}
K>b;Pl
@kE.ejm
KERNEL32.dll
KH(kSu
kkb?krj2"
^]k($lL
Kmu2\A
_kne>M?D
KSW0?\
k'v3sU
KVWMO'
;/KY>WClh#q`&
=L"1.0
~L2c2l^dkuNBEX7
L3L6LRQ
&*l9/3]
lApRxNcEWyYD
l'A"Pt
lBexdy<
LCpYaA32A
L-D9#/
LD&A/Q
LEA&r#
lgaJK4
LHgiM7ZqBUVlkEDVSOs~
LHPR\;
LMMClN
lNhskbvALnCc0"rN8eK
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
|#lPbv
lPVBF$
]L+Q("#b?
lstrcpynA
lstrlenA
lstrlenW
l@@SWR
^;\lt_
LTypS;"
@LV`be2NLjvXgLA
LwzA|dlR2
 &M0M{
main.cpl
MA	;Ph
MapVirtualKeyA
mD3k8x9
ME?&5bF+
MessageBeep
MFC42^.DL:zIz_
`M>ful
MHcL&PnT
 m^hco
MkajhB
mNbly 
MN_Cu2U
MPh3kbO
<MPo/]
mXUzqMrJ<a
M=ZeEn
M\zQc{lH
m[Z}^s
N0UC^U^ea
N2O-1}mC
n4A:I8X>h<v<{<
N9,@F=(
NAI)-}
N$C_NO
N/E5BRT
NEk5BD
nG;TpK
#$\nH_
njUAKj
N"LtOs
n%OGF}
NPEJLz
np,l:U
O2*%02Dx#'
O2WYVYQ
\o3 in
o%>42\\
O=4{sDc
_oc7tXzVzwy
Oc"M 4
o]ETstalX_rfVERCSION.DL
OffsetRect
_O<^]G
O=HIJ	4
!oiwKX
 o$:]K
ok2u2c
oKyP`.
oleaut32.dll
OpenIcon
]os*^l
oXc]a$
 >@p-"
?p_}"{
P0EC{(9
& p,[0N4
P0R?\y
P26AX_
(=P{A<t
pD.0b>9
PeekMessageW
?pIIgKD
P+~_=K ye
PLETnXIVAl2_?J7
=pMs3F
PNKqAQ&
PsfhJ5sjbCD
PtInRect
PUDd_ II	g
PV@6CH
pyN*xK
PZEOHC
q!>2?_
 *Q3HE
Q7@pm.
qEi@m?2
)Q@f`K
'qhfcN
QJ0OCr
\QP=A?:d(
QP(Fw>
Qq0}Mc"
qrrjKKco@24
QU2}>R
}q')^w
Q+YJMs
) -R.5
Rbf>(>
r`d;@<~
ReadFile
RegisterClassA
RegisterTypeLib
RegisterWindowMessageA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
;<r_{G
rHkJKP
rHMSVOCRT.u
RiEg3F,
$R-IM;Vw
&rK/"g
_rLqj0Uc@24
RpTgkeMZ
R\	sO[A
@.rsrc
'.}RUEk
$r WKR.&S
#rX$ba
S4{FxLfR
s5b74L
@S6[_8
s7]\g|J
S$`@8f
SafeArrayCreate
SafeArrayGetElement
SafeArrayPtrOfIndex
}SB]VC
S%cE-D
~SCfO/
={S%CL
      </security>
      <security>
SendMessageW
SetActiveWindow
SetCursor
SetErrorMode
SetHandleCount
SetRect
SetScrollRange
SetWindowLongA
SetWindowPos
SFUVW3
SF_y} 
ShowScrollBar
ShowWindow
sl19dCq
SmVE~&/>
soeyP31j1dF
_SOIdKLQqX_zhHS
SO\TjW
<SPQM)
S:{Q@xGdNgE&9n
s;TQW>\3
SU97m\
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SuqUAgHVIK
S;UVWx
sv(=W'
s_)x	nw
Sxpyu~
SysFreeString
S_z'?T
#t4g+f
t6R{2ommJ<
?T7_SY
t'9^02j
T|c}i}o}w}|}
^%Tc\{v8
Tc/Wu 
=TfA*0
t<fQ|W
tgc|	u-f
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This pQrog
This program must be run under Win32
%t]>*j
TNI>IS1
tP},QzSJ
TranslateMessage
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
_tuQIFpOA
<tVz,>, 
tx|vOfok
t{x`wCpoQ@
U=,7T@
U&~_.-b
(u@b9]
U[c^O-
[UdSnQ
UEFM^RB2
u@f}"d+
UHuJO<6
u}I_'L
Uk6tC3ef
U#m%R*
>UNFIQ2ST
UpdateWindow
u$q[&|c
uQnlMO
^urFyNYI
urKE9F{
URS`Qk
USER32.dll
_u{Smy
u(,Ync
UzuIX4dQ
";V(%+
\v	cEHR
Vc]Ov?M|
vC_"Q^6
V^DnT^oNaQYP
VF o`u
VH.+b9
vhC	.d
V|H+QZ
VirtualAlloc
VirtualAllocEx
VirtualFree
vIs*5E
vmvphSpty
VNNHrbloyLQ,UHYhNy2
_VP9] 
VqJ9]mvkFnpa
vr*;c>?&
VU1O8:
"@vYL& FL
W2z$kOP
W5FJzeUbm
w8c222x,D26b^0O
WaitForSingleObject
wER/78
WgtfnC3vF6Z@8
WindowFromPoint
wjI-?Qr
wJ|_Qj
WKTWGZbxDb
;WMAFU
W_Ukuv
]W<U@SD
W?'xXF6
	WZ=;{
/x5y;~A
x6h#,|`f
x6W'8,
X<7 2N
X8#6znam
x>8[,y
)X#\AuD
!?;XCd_
 x$E(E=
X;fbkqE
	}@/xFM
XiZWpU
Xlm}3?
<?xml 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XMUWLl
x.o^Hi~pbHard.
XSrVAB
=xt*fU,
=X=T=P=L%H
x>wCUXt`
Y\0V@^
Y2K~1b
Y2W=UCSK{QP5
=y!9xG
YB}wCo
YC_^][Yk
y(f]8{
ygZ`hO
YHP^e40
'YK8Aq3
y"oFwRChx
y#=PEM
ySC\fb
["Y'W1UzBS
]Y$W)UEc\_
Yxdyl~
z{9 n*vy=
z!aLti
ZBjzIWETUHM
\?z?CA
=zCsZOjv
z;@D#:B
zdRNLb
zFhv7^[K~
zJ?ZqKda
Zk6dHUT
ZmUWQ(+y
~~'Znu
`{+"zT$
zwL_`2RcnS^iDY8Mr
${z_xg